Controlling access by code

ABSTRACT

A novel code signing system, computer readable media, and method are provided. The code signing method includes receiving a code signing request from a requestor in order to gain access to one or more specific application programming interfaces (APIs). A digital signature is provided to the requestor. The digital signature indicates authorization by a code signing authority for code of the requestor to access the one or more specific APIs. In one example, the digital signature is provided by the code signing authority or a delegate thereof. In another example, the code signing request may include one or more of the following: code, an application, a hash of an application, an abridged version of the application, a transformed version of an application, a command, a command argument, and a library.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of “Controlling Access By Code”, U.S.application Ser. No. 14/459,785, filed Aug. 14, 2014, now U.S. Pat. No.9,507,920, which claims priority to the following applications:“Software Code Signing System And Method,” U.S. application Ser. No.13/754,162, filed Jan. 30, 2013, now U.S. Pat. No. 8,984,278; “SoftwareCode Signing System And Method,” U.S. application Ser. No. 10/381,219,filed Mar. 20, 2003, now U.S. Pat. No. 8,489,868; “Code Signing SystemAnd Method,” U.S. Provisional Application No. 60/270,663, filed Feb. 20,2001; “Code Signing System And Method,” U.S. Provisional Application No.60/235,354, filed Sep. 26, 2000; “Code Signing System And Method,” U.S.Provisional Application No. 60/234,152, filed Sep. 21, 2000; and “CodeSigning System and Method,” International (PCT) Application No.CA/01/01344 filed Sep. 20, 2001. The entire disclosures of each of theabove-referenced applications are hereby incorporated by referencehereinto in their entirety.

BACKGROUND

1. Field of the Invention

This invention relates generally to the field of security protocols forsoftware applications. More particularly, the invention provides a codesigning system and method that is particularly well suited for Java™applications for mobile communication devices, such as Personal DigitalAssistants, cellular telephones, and wireless two-way communicationdevices (collectively referred to hereinafter as “mobile devices” orsimply “devices”).

2. Description of the Related Art

Security protocols involving software code signing schemes are known.Typically, such security protocols are used to ensure the reliability ofsoftware applications that are downloaded from the Internet. In atypical software code signing scheme, a digital signature is attached toa software application that identifies the software developer. Once thesoftware is downloaded by a user, the user typically must use his or herjudgment to determine whether or not the software application isreliable, based solely on his or her knowledge of the softwaredeveloper's reputation. This type of code signing scheme does not ensurethat a software application written by a third party for a mobile devicewill properly interact with the device's native applications and otherresources. Because typical code signing protocols are not secure andrely solely on the judgment of the user, there is a serious risk thatdestructive, “Trojan horse” type software applications may be downloadedand installed onto a mobile device.

There also remains a need for network operators to have a system andmethod to maintain control over which software applications areactivated on mobile devices.

There remains a further need in 2.5G and 3G networks where corporateclients or network operators would like to control the types of softwareon the devices issued to its employees.

SUMMARY

A code signing system and method is provided. The code signing systemoperates in conjunction with a software application having a digitalsignature and includes an application platform, an applicationprogramming interface (API), and a virtual machine. The API isconfigured to link the software application with the applicationplatform. The virtual machine verifies the authenticity of the digitalsignature in order to control access to the API by the softwareapplication.

A code signing system for operation in conjunction with a softwareapplication having a digital signature, according to another embodimentof the invention comprises an application platform, a plurality of APIs,each configured to link the software application with a resource on theapplication platform, and a virtual machine that verifies theauthenticity of the digital signature in order to control access to theAPI by the software application, wherein the virtual machine verifiesthe authenticity of the digital signature in order to control access tothe plurality of APIs by the software application.

According to a further embodiment of the invention, a method ofcontrolling access to sensitive application programming interfaces on amobile device comprises the steps of loading a software application onthe mobile device that requires access to a sensitive API, determiningwhether or not the software application includes a digital signatureassociated with the sensitive API, and if the software application doesnot include a digital signature associated with the sensitive API, thendenying the software application access to the sensitive API.

In another embodiment of the invention, a method of controlling accessto an application programming interface (API) on a mobile device by asoftware application created by a software developer comprises the stepsof receiving the software application from the software developer,reviewing the software application to determine if it may access theAPI, if the software application may access the API, then appending adigital signature to the software application, verifying theauthenticity of a digital signature appended to a software application,and providing access to the API to software applications for which theappended digital signature is authentic.

A method of restricting access to a sensitive API on a mobile device,according to a further embodiment of the invention, comprises the stepsof registering one or more software developers that are trusted todesign software applications which access the sensitive API, receiving ahash of a software application, determining if the software applicationwas designed by one of the registered software developers, and if thesoftware application was designed by one of the registered softwaredevelopers, then generating a digital signature using the hash of thesoftware application, wherein the digital signature may be appended tothe software application, and the mobile device verifies theauthenticity of the digital signature in order to control access to thesensitive API by the software application.

In a still further embodiment, a method of restricting access toapplication programming interfaces on a mobile device comprises thesteps of loading a software application on the mobile device thatrequires access to one or more API, determining whether or not thesoftware application includes a digital signature associated with themobile device, and if the software application does not include adigital signature associated with the mobile device, then denying thesoftware application access to the one or more APIs.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a code signing protocol according toone embodiment of the invention;

FIG. 2 is a flow diagram of the code signing protocol described abovewith reference to FIG. 1;

FIG. 3 is a block diagram of a code signing system on a mobile device;

FIG. 3A is a block diagram of a code signing system on a plurality ofmobile devices;

FIG. 4 is a flow diagram illustrating the operation of the code signingsystem described above with reference to FIG. 3 and FIG. 3A;

FIG. 5 is a flow diagram illustrating the management of the code signingauthorities described with reference to FIG. 3A; and

FIG. 6 is a block diagram of a mobile communication device in which acode signing system and method may be implemented.

DETAILED DESCRIPTION

Referring now to the drawing figures, FIG. 1 is a diagram illustrating acode signing protocol according to one embodiment of the invention. Anapplication developer 12 creates a software application 14 (applicationY) for a mobile device that requires access to one or more sensitiveAPIs on the mobile device. The software application Y 14 may, forexample, be a Java application that operates on a Java virtual machineinstalled on the mobile device. An API enables the software applicationY to interface with an application platform that may include, forexample, resources such as the device hardware, operating system andcore software and data models. In order to make function calls to orotherwise interact with such device resources, a software application Ymust access one or more APIs. APIs can thereby effectively “bridge” asoftware application and associated device resources. In thisdescription and the appended claims, references to API access should beinterpreted to include access of an API in such a way as to allow asoftware application Y to interact with one or more corresponding deviceresources. Providing access to any API therefore allows a softwareapplication Y to interact with associated device resources, whereasdenying access to an API prevents the software application Y frominteracting with the associated resources. For example, a database APImay communicate with a device file or data storage system, and access tothe database API would provide for interaction between a softwareapplication Y and the file or data storage system. A user interface (UI)API would communicate with controllers and/or control software for suchdevice components as a screen, a keyboard, and any other devicecomponents that provide output to a user or accept input from a user. Ina mobile device, a radio API may also be provided as an interface towireless communication resources such as a transmitter and receiver.Similarly, a cryptographic API may be provided to interact with a cryptomodule which implements crypto algorithms on a device. These are merelyillustrative examples of APIs that may be provided on a device. A devicemay include any of these example APIs, or different APIs instead of orin addition to those described above.

Preferably, any API may be classified as sensitive by a mobile devicemanufacturer, or possibly by an API author, a wireless network operator,a device owner or operator, or some other entity that may be affected bya virus or malicious code in a device software application. Forinstance, a mobile device manufacturer may classify as sensitive thoseAPIs that interface with cryptographic routines, wireless communicationfunctions, or proprietary data models such as address book or calendarentries. To protect against unauthorized access to these sensitive APIs,the application developer 12 is required to obtain one or more digitalsignatures from the mobile device manufacturer or other entity thatclassified any APIs as sensitive, or from a code signing authority 16acting on behalf of the manufacturer or other entity with an interest inprotecting access to sensitive device APIs, and append the signature(s)to the software application Y 14.

In one embodiment, a digital signature is obtained for each sensitiveAPI or library that includes a sensitive API to which the softwareapplication requires access. In some cases, multiple signatures aredesirable. This would allow a service provider, company or networkoperator to restrict some or all software applications loaded or updatedonto a particular set of mobile devices. In this multiple-signaturescenario, all APIs are restricted and locked until a “global” signatureis verified for a software application. For example, a company may wishto prevent its employees from executing any software applications ontotheir devices without first obtaining permission from a corporateinformation technology (IT) or computer services department. All suchcorporate mobile devices may then be configured to require verificationof at least a global signature before a software application can beexecuted. Access to sensitive device APIs and libraries, if any, couldthen be further restricted, dependent upon verification of respectivecorresponding digital signatures.

The binary executable representation of software application Y 14 may beindependent of the particular type of mobile device or model of a mobiledevice. Software application Y 14 may for example be in awrite-once-run-anywhere binary format such as is the case with Javasoftware applications. However, it may be desirable to have a digitalsignature for each mobile device type or model, or alternatively foreach mobile device platform or manufacturer. Therefore, softwareapplication Y 14 may be submitted to several code signing authorities ifsoftware application Y 14 targets several mobile devices.

Software application Y 14 is sent from the application developer 12 tothe code signing authority 16. In the embodiment shown in FIG. 1, thecode signing authority 16 reviews the software application Y 14,although as described in further detail below, it is contemplated thatthe code signing authority 16 may also or instead consider the identityof the application developer 12 to determine whether or not the softwareapplication Y 14 should be signed. The code signing authority 16 ispreferably one or more representatives from the mobile devicemanufacturer, the authors of any sensitive APIs, or possibly others thathave knowledge of the operation of the sensitive APIs to which thesoftware application needs access.

If the code signing authority 16 determines that software application Y14 may access the sensitive API and therefore should be signed, then asignature (not shown) for the software application Y 14 is generated bythe code signing authority 16 and appended to the software application Y14. The signed software application Y 22, comprising the softwareapplication Y 14 and the digital signature, is then returned to theapplication developer 12. The digital signature is preferably a tag thatis generated using a private signature key 18 maintained solely by thecode signing authority 16. For example, according to one signaturescheme, a hash of the software application Y 14 may be generated, usinga hashing algorithm such as the Secure Hash Algorithm SHA1, and thenused with the private signature key 18 to create the digital signature.In some signature schemes, the private signature key is used to encrypta hash of information to be signed, such as software application Y 14,whereas in other schemes, the private key may be used in other ways togenerate a signature from the information to be signed or a transformedversion of the information.

The signed software application Y 22 may then be sent to a mobile device28 or downloaded by the mobile device 28 over a wireless network 24. Itshould be understood, however, that a code signing protocol according tothe present invention is not limited to software applications that aredownloaded over a wireless network. For instance, in alternativeembodiments, the signed software application Y 22 may be downloaded to apersonal computer via a computer network and loaded to the mobile devicethrough a serial link, or may be acquired from the application developer12 in any other manner and loaded onto the mobile device. Once thesigned software application Y 22 is loaded on the mobile device 28, eachdigital signature is preferably verified with a public signature key 20before the software application Y 14 is granted access to a sensitiveAPI library. Although the signed software application Y 22 is loadedonto a device, it should be appreciated that the software applicationthat may eventually be executed on the device is the softwareapplication Y 14. As described above, the signed software application Y22 includes the software application Y 14 and one or more appendeddigital signatures (not shown). When the signatures are verified, thesoftware application Y 14 can be executed on the device and access anyAPIs for which corresponding signatures have been verified.

The public signature key 20 corresponds to the private signature key 18maintained by the code signing authority 16, and is preferably installedon the mobile device along with the sensitive API. However, the publickey 10 may instead be obtained from a public key repository (not shown),using the device 28 or possibly a personal computer system, andinstalled on the device 28 as needed. According to one embodiment of asignature scheme, the mobile device 28 calculates a hash of the softwareapplication Y 14 in the signed software application Y 22, using the samehashing algorithm as the code signing authority 16, and uses the digitalsignature and the public signature key 20 to recover the hash calculatedby the signing authority 16. The resultant locally calculated hash andthe hash recovered from the digital signature are then compared, and ifthe hashes are the same, the signature is verified. The softwareapplication Y 14 can then be executed on the device 28 and access anysensitive APIs for which the corresponding signature(s) have beenverified. As described above, the invention is in no way limited to thisparticular illustrative example signature scheme. Other signatureschemes, including further public key signature schemes, may also beused in conjunction with the code signing methods and systems describedherein.

FIG. 2 is a flow diagram 30 of the code signing protocol described abovewith reference to FIG. 1. The protocol begins at step 32. At step 34, asoftware developer writes the software application Y for a mobile devicethat requires access to a sensitive API or library that exposes asensitive API (API library A). As discussed above, some or all APIs on amobile device may be classified as sensitive, thus requiringverification of a digital signature for access by any softwareapplication such as software application Y. In step 36, application Y istested by the software developer, preferably using a device simulator inwhich the digital signature verification function has been disabled. Inthis manner, the software developer may debug the software application Ybefore the digital signature is acquired from the code signingauthority. Once the software application Y has been written anddebugged, it is forwarded to the code signing authority in step 38.

In steps 40 and 42, the code signing authority reviews the softwareapplication Y to determine whether or not it should be given access tothe sensitive API, and either accepts or rejects the softwareapplication. The code signing authority may apply a number of criteriato determine whether or not to grant the software application access tothe sensitive API including, for example, the size of the softwareapplication, the device resources accessed by the API, the perceivedutility of the software application, the interaction with other softwareapplications, the inclusion of a virus or other destructive code, andwhether or not the developer has a contractual obligation or otherbusiness arrangement with the mobile device manufacturer. Furtherdetails of managing code signing authorities and developers aredescribed below in reference to FIG. 5.

If the code signing authority accepts the software application Y, then adigital signature, and preferably a signature identification, areappended to the software application Y in step 46. As described above,the digital signature may be generated by using a hash of the softwareapplication Y and a private signature key 18. The signatureidentification is described below with reference to FIGS. 3 and 4. Oncethe digital signature and signature identification are appended to thesoftware application Y to generate a signed software application, thesigned software application Y is returned to the software developer instep 48. The software developer may then license the signed softwareapplication Y to be loaded onto a mobile device (step 50). If the codesigning authority rejects the software application Y, however, then arejection notification is preferably sent to the software developer(step 44), and the software application Y will be unable to access anyAPI(s) associated with the signature.

In an alternative embodiment, the software developer may provide thecode signing authority with only a hash of the software application Y,or provide the software application Y in some type of abridged format.If the software application Y is a Java application, then the deviceindependent binary *.class files may be used in the hashing operation,although device dependent files such as *.cod files used by the assigneeof the present application may instead be used in hashing or otherdigital signature operations when software applications are intended foroperation on particular devices or device types. By providing only ahash or abridged version of the software application Y, the softwaredeveloper may have the software application Y signed without revealingproprietary code to the code signing authority. The hash of the softwareapplication Y, along with the private signature key 18, may then be usedby the code signing authority to generate the digital signature. If anotherwise abridged version of the software application Y is sent to thecode signing authority, then the abridged version may similarly be usedto generate the digital signature, provided that the abridging scheme oralgorithm, like a hashing algorithm, generates different outputs fordifferent inputs. This ensures that every software application will havea different abridged version and thus a different signature that canonly be verified when appended to the particular corresponding softwareapplication from which the abridged version was generated. Because thisembodiment does not enable the code signing authority to thoroughlyreview the software application for viruses or other destructive code,however, a registration process between the software developer and thecode signing authority may also be required. For instance, the codesigning authority may agree in advance to provide a trusted softwaredeveloper access to a limited set of sensitive APIs.

In still another alternative embodiment, a software application Y may besubmitted to more than one signing authority. Each signing authority mayfor example be responsible for signing software applications forparticular sensitive APIs or APIs on a particular model of mobile deviceor set of mobile devices that supports the sensitive APIs required by asoftware application. A manufacturer, mobile communication networkoperator, service provider, or corporate client for example may therebyhave signing authority over the use of sensitive APIs for theirparticular mobile device model(s), or the mobile devices operating on aparticular network, subscribing to one or more particular services, ordistributed to corporate employees. A signed software application maythen include a software application and at least one appended digitalsignature appended from each of the signing authorities. Even thoughthese signing authorities in this example would be generating asignature for the same software application, different signing andsignature verification schemes may be associated with the differentsigning authorities.

FIG. 3 is a block diagram of a code signing system 60 on a mobile device62. The system 60 includes a virtual machine 64, a plurality of softwareapplications 66-70, a plurality of API libraries 72-78, and anapplication platform 80. The application platform 80 preferably includesall of the resources on the mobile device 62 that may be accessed by thesoftware applications 66-70. For instance, the application platform mayinclude device hardware 82, the mobile device's operating system 84, orcore software and data models 86. Each API library 72-78 preferablyincludes a plurality of APIs that interface with a resource available inthe application platform. For instance, one API library might includeall of the APIs that interface with a calendar program and calendarentry data models. Another API library might include all of the APIsthat interface with the transmission circuitry and functions of themobile device 62. Yet another API library might include all of the APIscapable of interfacing with lower-level services performed by the mobiledevice's operating system 84. In addition, the plurality of APIlibraries 72-78 may include both libraries that expose a sensitive API74 and 78, such as an interface to a cryptographic function, andlibraries 72 and 76, that may be accessed without exposing sensitiveAPIs. Similarly, the plurality of software applications 66-70 mayinclude both signed software applications 66 and 70 that require accessto one or more sensitive APIs, and unsigned software applications suchas 68. The virtual machine 64 is preferably an object oriented run-timeenvironment such as Sun Micro System's J2ME™ (Java 2 Platform, MicroEdition), which manages the execution of all of the softwareapplications 66-70 operating on the mobile device 62, and links thesoftware applications 66-70 to the various API libraries 72-78.

Software application Y 70 is an example of a signed softwareapplication. Each signed software application preferably includes anactual software application such as software application Y comprisingfor example software code that can be executed on the applicationplatform 80, one or more signature identifications 94 and one or morecorresponding digital signatures 96. Preferably each digital signature96 and associated signature identification 94 in a signed softwareapplication 66 or 70 corresponds to a sensitive API library 74 or 78 towhich the software application X or software application Y requiresaccess. The sensitive API library 74 or 78 may include one or moresensitive APIs. In an alternative embodiment, the signed softwareapplications 66 and 70 may include a digital signature 96 for eachsensitive API within an API library 74 or 78. The signatureidentifications 94 may be unique integers or some other means ofrelating a digital signature 96 to a specific API library 74 or 78, API,application platform 80, or model of mobile device 62.

API library A 78 is an example of an API library that exposes asensitive API. Each API library 74 and 78 including a sensitive APIshould preferably include a description string 88, a public signaturekey 20, and a signature identifier 92. The signature identifier 92preferably corresponds to a signature identification 94 in a signedsoftware application 66 or 70, and enables the virtual machine 64 toquickly match a digital signature 96 with an API library 74 or 78. Thepublic signature key 20 corresponds to the private signature key 18maintained by the code signing authority, and is used to verify theauthenticity of a digital signature 96. The description string 88 mayfor example be a textual message that is displayed on the mobile devicewhen a signed software application 66 or 70 is loaded, or alternativelywhen a software application X or Y attempts to access a sensitive API.

Operationally, when a signed software application 68-70, respectivelyincluding a software application X, Z, or Y, that requires access to asensitive API library 74 or 78 is loaded onto a mobile device, thevirtual machine 64 searches the signed software application for anappended digital signature 96 associated with the API library 74 or 78.Preferably, the appropriate digital signature 96 is located by thevirtual machine 64 by matching the signature identifier 92 in the APIlibrary 74 or 78 with a signature identification 94 on the signedsoftware application. If the signed software application includes theappropriate digital signature 96, then the virtual machine 64 verifiesits authenticity using the public signature key 20. Then, once theappropriate digital signature 96 has been located and verified, thedescription string 88 is preferably displayed on the mobile devicebefore the software application X or Y is executed and accesses thesensitive API. For instance, the description string 88 may display amessage stating that “Application Y is attempting to access API LibraryA,” and thereby provide the mobile device user with the final control togrant or deny access to the sensitive API.

FIG. 3A is a block diagram of a code signing system 61 on a plurality ofmobile devices 62E, 62F and 62G. The system 61 includes a plurality ofmobile devices each of which only three are illustrated, mobile devices62E, 62F and 62G. Also shown is a signed software application 70,including a software application Y to which two digital signatures 96Eand 96F with corresponding signature identifications 94E and 94F havebeen appended. In the example system 61, each pair composed of a digitalsignature and identification, 94E/96E and 94F/96F, corresponds to amodel of mobile device 62, API library 78, or associated platform 80. Ifsignature identifications 94E and 94F correspond to different models ofmobile device 62, then when a signed software application 70 whichincludes a software application Y that requires access to a sensitiveAPI library 78 is loaded onto mobile device 62E, the virtual machine 64searches the signed software application 70 for a digital signature 96Eassociated with the API library 78 by matching identifier 94E withsignature identifier 92. Similarly, when a signed software application70 including a software application Y that requires access to asensitive API library 78 is loaded onto a mobile device 62F, the virtualmachine 64 in device 62F searches the signed software application 70 fora digital signature 96F associated with the API library 78. However,when a software application Y in a signed software application 70 thatrequires access to a sensitive API library 78 is loaded onto a mobiledevice model for which the application developer has not obtained adigital signature, device 62G in the example of FIG. 3A, the virtualmachine 64 in the device 64G does not find a digital signature appendedto the software application Y and consequently, access to the APIlibrary 78 is denied on device 62G. It should be appreciated from theforegoing description that a software application such as softwareapplication Y may have multiple device-specific, library-specific, orAPI-specific signatures or some combination of such signatures appendedthereto. Similarly, different signature verification requirements may beconfigured for the different devices. For example, device 62E mayrequire verification of both a global signature, as well as additionalsignatures for any sensitive APIs to which a software application,requires access in order for the software application to be executed,whereas device 62F may require verification of only a global signatureand device 62G may require verification of signatures only for itssensitive APIs. It should also be apparent that a communication systemmay include devices (not shown) on which a software application Yreceived as part of a signed software application such as 70 may executewithout any signature verification. Although a signed softwareapplication has one or more signatures appended thereto, the softwareapplication Y might possibly be executed on some devices without firsthaving any of its signature(s) verified. Signing of a softwareapplication preferably does not interfere with its execution on devicesin which digital signature verification is not implemented.

FIG. 4 is a flow diagram 100 illustrating the operation of the codesigning system described above with reference to FIGS. 3 and 3A. In step102, a software application is loaded onto a mobile device. Once thesoftware application is loaded, the device, preferably using a virtualmachine, determines whether or not the software application requiresaccess to any API libraries that expose a sensitive API (step 104). Ifnot, then the software application is linked with all of its requiredAPI libraries and executed (step 118). If the software application doesrequire access to a sensitive API, however, then the virtual machineverifies that the software application includes a valid digitalsignature associated with any sensitive APIs to which access isrequired, in steps 106-116.

In step 106, the virtual machine retrieves the public signature key 20and signature identifier 92 from the sensitive API library. Thesignature identifier 92 is then used by the virtual machine in step 108to determine whether or not the software application has an appendeddigital signature 96 with a corresponding signature identification 94.If not, then the software application has not been approved for accessto the sensitive API by a code signing authority, and the softwareapplication is preferably prevented from being executed in step 116. Inalternative embodiments, a software application without a proper digitalsignature 96 may be purged from the mobile device, or may be deniedaccess to the API library exposing the sensitive API but executed to theextent possible without access to the API library. It is alsocontemplated that a user may be prompted for an input when signatureverification fails, thereby providing for user control of suchsubsequent operations as purging of the software application from thedevice.

If a digital signature 96 corresponding to the sensitive API library isappended to the software application and located by the virtual machine,then the virtual machine uses the public key 20 to verify theauthenticity of the digital signature 96 in step 110. This step may beperformed, for example, by using the signature verification schemedescribed above or other alternative signature schemes. If the digitalsignature 96 is not authentic, then the software application ispreferably either not executed, purged, or restricted from accessing thesensitive API as described above with reference to step 116. If thedigital signature is authentic, however, then the description string 88is preferably displayed in step 112, warning the mobile device user thatthe software application requires access to a sensitive API, andpossibly prompting the user for authorization to execute or load thesoftware application (step 114). When more than one signature is to beverified for a software application, then the steps 104-110 arepreferably repeated for each signature before the user is prompted instep 112. If the mobile device user in step 114 authorizes the softwareapplication, then it may be executed and linked to the sensitive APIlibrary in step 118.

FIG. 5 is a flow diagram 200 illustrating the management of the codesigning authorities described with reference to FIG. 3A. At step 210, anapplication developer has developed a new software application which isintended to be executable one or more target device models or types. Thetarget devices may include sets of devices from different manufacturers,sets of device models or types from the same manufacturer, or generallyany sets of devices having particular signature and verificationrequirements. The term “target device” refers to any such set of deviceshaving a common signature requirement. For example, a set of devicesrequiring verification of a device-specific global signature forexecution of all software applications may comprise a target device, anddevices that require both a global signature and further signatures forsensitive APIs may be part of more than one target device set. Thesoftware application may be written in a device independent manner byusing at least one known API, supported on at least one target devicewith an API library. Preferably, the developed software application isintended to be executable on several target devices, each of which hasits own at least one API library.

At step 220, a code signing authority for one target device receives atarget-signing request from the developer. The target signing requestincludes the software application or a hash of the software application,a developer identifier, as well as at least one target device identifierwhich identifies the target device for which a signature is beingrequested. At step 230, the signing authority consults a developerdatabase 235 or other records to determine whether or not to trustdeveloper 220. This determination can be made according to severalcriteria discussed above, such as whether or not the developer has acontractual obligation or has entered into some other type of businessarrangement with a device manufacturer, network operator, serviceprovider, or device manufacturer. If the developer is trusted, then themethod proceeds at step 240. However, if the developer is not trusted,then the software application is rejected (250) and not signed by thesigning authority. Assuming the developer was trusted, at step 240 thesigning authority determines if it has the target private keycorresponding to the submitted target identifier by consulting a privatekey store such as a target private key database 245. If the targetprivate key is found, then a digital signature for the softwareapplication is generated at step 260 and the digital signature or asigned software application including the digital signature appended tothe software application is returned to the developer at step 280.However, if the target private key is not found at step 240, then thesoftware application is rejected at step 270 and no digital signature isgenerated for the software application.

Advantageously, if target signing authorities follow compatibleembodiments of the method outlined in FIG. 5, a network of targetsigning authorities may be established in order to expediently managecode signing authorities and a developer community code signing processproviding signed software applications for multiple targets with lowlikelihood of destructive code.

Should any destructive or otherwise problematic code be found in asoftware application or suspected because of behavior exhibited when asoftware application is executed on a device, then the registration orprivileges of the corresponding application developer with any or allsigning authorities may also be suspended or revoked, since the digitalsignature provides an audit trail through which the developer of aproblematic software application may be identified. In such an event,devices may be informed of the revocation by being configured toperiodically download signature revocation lists, for example. Ifsoftware applications for which the corresponding digital signatureshave been revoked are running on a device, the device may then haltexecution of any such software application and possibly purge thesoftware application from its local storage. If preferred, devices mayalso be configured to re-execute digital signature verifications, forinstance periodically or when a new revocation list is downloaded.

Although a digital signature generated by a signing authority isdependent upon authentication of the application developer andconfirmation that the application developer has been properlyregistered, the digital signature is preferably generated from a hash orotherwise transformed version of the software application and istherefore application-specific. This contrasts with known code signingschemes, in which API access is granted to any software applicationsarriving from trusted application developers or authors. In the codesigning systems and methods described herein, API access is granted onan application-by-application basis and thus can be more strictlycontrolled or regulated.

FIG. 6 is a block diagram of a mobile communication device in which acode signing system and method may be implemented. The mobilecommunication device 610 is preferably a two-way communication devicehaving at least voice and data communication capabilities. The devicepreferably has the capability to communicate with other computer systemson the Internet. Depending on the functionality provided by the device,the device may be referred to as a data messaging device, a two-waypager, a cellular telephone with data messaging capabilities, a wirelessInternet appliance or a data communication device (with or withouttelephony capabilities).

Where the device 610 is enabled for two-way communications, the devicewill incorporate a communication subsystem 611, including a receiver612, a transmitter 614, and associated components such as one or more,preferably embedded or internal, antenna elements 616 and 618, localoscillators (LOs) 613, and a processing module such as a digital signalprocessor (DSP) 620. As will be apparent to those skilled in the fieldof communications, the particular design of the communication subsystem611 will be dependent upon the communication network in which the deviceis intended to operate. For example, a device 610 destined for a NorthAmerican market may include a communication subsystem 611 designed tooperate within the Mobitex™ mobile communication system or DataTAC™mobile communication system, whereas a device 610 intended for use inEurope may incorporate a General Packet Radio Service (GPRS)communication subsystem 611.

Network access requirements will also vary depending upon the type ofnetwork 919. For example, in the Mobitex and DataTAC networks, mobiledevices such as 610 are registered on the network using a uniqueidentification number associated with each device. In GPRS networkshowever, network access is associated with a subscriber or user of adevice 610. A GPRS device therefore requires a subscriber identitymodule (not shown), commonly referred to as a SIM card, in order tooperate on a GPRS network. Without a SIM card, a GPRS device will not befully functional. Local or non-network communication functions (if any)may be operable, but the device 610 will be unable to carry out anyfunctions involving communications over network 619, other than anylegally required operations such as “911” emergency calling.

When required network registration or activation procedures have beencompleted, a device 610 may send and receive communication signals overthe network 619. Signals received by the antenna 616 through acommunication network 619 are input to the receiver 612, which mayperform such common receiver functions as signal amplification,frequency down conversion, filtering, channel selection and the like,and in the example system shown in FIG. 6, analog to digital conversion.Analog to digital conversion of a received signal allows more complexcommunication functions such as demodulation and decoding to beperformed in the DSP 620. In a similar manner, signals to be transmittedare processed, including modulation and encoding for example, by the DSP620 and input to the transmitter 614 for digital to analog conversion,frequency up conversion, filtering, amplification and transmission overthe communication network 619 via the antenna 618.

The DSP 620 not only processes communication signals, but also providesfor receiver and transmitter control. For example, the gains applied tocommunication signals in the receiver 612 and transmitter 614 may beadaptively controlled through automatic gain control algorithmsimplemented in the DSP 620.

The device 610 preferably includes a microprocessor 638 which controlsthe overall operation of the device. Communication functions, includingat least data and voice communications, are performed through thecommunication subsystem 611. The microprocessor 638 also interacts withfurther device subsystems or resources such as the display 622, flashmemory 624, random access memory (RAM) 626, auxiliary input/output (I/O)subsystems 628, serial port 630, keyboard 632, speaker 634, microphone636, a short-range communications subsystem 640 and any other devicesubsystems generally designated as 642. APIs, including sensitive APIsrequiring verification of one or more corresponding digital signaturesbefore access is granted, may be provided on the device 610 to interfacebetween software applications and any of the resources shown in FIG. 6.

Some of the subsystems shown in FIG. 6 perform communication-relatedfunctions, whereas other subsystems may provide “resident” or on-devicefunctions. Notably, some subsystems, such as keyboard 632 and display622 for example, may be used for both communication-related functions,such as entering a text message for transmission over a communicationnetwork, and device-resident functions such as a calculator or tasklist.

Operating system software used by the microprocessor 638, and possiblyAPIs to be accessed by software applications, is preferably stored in apersistent store such as flash memory 624, which may instead be a readonly memory (ROM) or similar storage element (not shown). Those skilledin the art will appreciate that the operating system, specific devicesoftware applications, or parts thereof, may be temporarily loaded intoa volatile store such as RAM 626. It is contemplated that received andtransmitted communication signals may also be stored to RAM 626.

The microprocessor 638, in addition to its operating system functions,preferably enables execution of software applications on the device. Apredetermined set of applications which control basic device operations,including at least data and voice communication applications forexample, will normally be installed on the device 610 duringmanufacture. A preferred application that may be loaded onto the devicemay be a personal information manager (PIM) application having theability to organize and manage data items relating to the device usersuch as, but not limited to e-mail, calendar events, voice mails,appointments, and task items. Naturally, one or more memory stores wouldbe available on the device to facilitate storage of PIM data items onthe device. Such PIM application would preferably have the ability tosend and receive data items, via the wireless network. In a preferredembodiment, the PIM data items are seamlessly integrated, synchronizedand updated, via the wireless network, with the device user'scorresponding data items stored or associated with a host computersystem thereby creating a mirrored host computer on the mobile devicewith respect to the data items at least. This would be especiallyadvantageous in the case where the host computer system is the mobiledevice user's office computer system. Further applications, includingsigned software applications as described above, may also be loaded ontothe device 610 through the network 619, an auxiliary I/O subsystem 62S,serial port 630, short-range communications subsystem 640 or any othersuitable subsystem 642. The device microprocessor 638 may then verifyany digital signatures, possibly including both “global” devicesignatures and API-specific signatures, appended to such a softwareapplication before the software application can be executed by themicroprocessor 638 and/or access any associated sensitive APIs. Suchflexibility in application installation increases the functionality ofthe device and may provide enhanced on-device functions,communication-related functions, or both. For example, securecommunication applications may enable electronic commerce functions andother such financial transactions to be performed using the device 610,through a crypto API and a crypto module which implements cryptoalgorithms on the device (not shown).

In a data communication mode, a received signal such as a text messageor web page download will be processed by the communication subsystem611 and input to the microprocessor 638, which will preferably furtherprocess the received signal for output to the display 622, oralternatively to an auxiliary I/O device 628. A user of device 610 mayalso compose data items such as email messages for example, using thekeyboard 632, which is preferably a complete alphanumeric keyboard ortelephone-type keypad, in conjunction with the display 622 and possiblyan auxiliary I/O device 628. Such composed items may then be transmittedover a communication network through the communication subsystem 611.

For voice communications, overall operation of the device 610 issubstantially similar, except that received signals would preferably beoutput to a speaker 634 and signals for transmission would be generatedby a microphone 636. Alternative voice or audio I/O subsystems such as avoice message recording subsystem may also be implemented on the device610. Although voice or audio signal output is preferably accomplishedprimarily through the speaker 634, the display 622 may also be used toprovide an indication of the identity of a calling party, the durationof a voice call, or other voice call related information for example.

The serial port 630 in FIG. 6 would normally be implemented in apersonal digital assistant (PDA)-type communication device for whichsynchronization with a user's desktop computer (not shown) may bedesirable, but is an optional device component. Such a port 630 wouldenable a user to set preferences through an external device or softwareapplication and would extend the capabilities of the device by providingfor information or software downloads to the device 610 other thanthrough a wireless communication network. The alternate download pathmay for example be used to load an encryption key onto the devicethrough a direct and thus reliable and trusted connection to therebyenable secure device communication.

A short-range communications subsystem 640 is a further optionalcomponent which may provide for communication between the device 624 anddifferent systems or devices, which need not necessarily be similardevices. For example, the subsystem 640 may include an infrared deviceand associated circuits and components or a Bluetooth™ communicationmodule to provide for communication with similarly-enabled systems anddevices.

The embodiments described herein are examples of structures, systems ormethods having elements corresponding to the elements of the inventionrecited in the claims. This written description may enable those skilledin the art to make and use embodiments having alternative elements thatlikewise correspond to the elements of the invention recited in theclaims. The intended scope of the invention thus includes otherstructures, systems or methods that do not differ from the literallanguage of the claims, and further includes other structures, systemsor methods with insubstantial differences from the literal language ofthe claims.

For example, when a software application is rejected at step 250 in themethod shown in FIG. 5, the signing authority may request that thedeveloper sign a contract or enter into a business relationship with adevice manufacturer or other entity on whose behalf the signingauthority acts. Similarly, if a software application is rejected at step270, authority to sign the software application may be delegated to adifferent signing authority. The signing of a software applicationfollowing delegation of signing of the software application to thedifferent authority can proceed substantially as shown in FIG. 5,wherein the target signing authority that received the original requestfrom the trusted developer at step 220 requests that the softwareapplication be signed by the different signing authority on behalf ofthe trusted developer from the target signing authority. Once a trustrelationship has been established between code signing authorities,target private code signing keys could be shared between code signingauthorities to improve performance of the method at step 240, or adevice may be configured to validate digital signatures from either ofthe trusted signing authorities.

In addition, although described primarily in the context of softwareapplications, code signing systems and methods according to the presentinvention may also be applied to other device-related components,including but in no way limited to, commands and associated commandarguments, and libraries configured to interface with device resources.Such commands and libraries may be sent to mobile devices by devicemanufacturers, device owners, network operators, service providers,software application developers and the like. It would be desirable tocontrol the execution of any command that may affect device operation,such as a command to change a device identification code or wirelesscommunication network address for example, by requiring verification ofone or more digital signatures before a command can be executed on adevice, in accordance with the code signing systems and methodsdescribed and claimed herein.

We claim:
 1. A method of controlling access by code to one or moreapplication programming interfaces (APIs) of a device, the methodcomprising: determining whether the code is signed with an authenticdigital signature indicating authorization for the code to access one ormore specific APIs of the device, wherein the authentic digitalsignature is generated by a code signing authority that issues authenticdigital signatures external to the device; and controlling access by thecode to the one or more specific APIs depending on whether the code issigned with the authentic digital signature.
 2. The method of claim 1,further comprising: purging the code from the device if the code doesnot include the authentic digital signature.
 3. The method of claim 1,wherein controlling access by the code further comprises: denying thecode access to the one or more specific APIs if the code does notinclude the authentic digital signature.
 4. The method of claim 1,wherein controlling access by the code further comprises: granting thecode access to the one or more specific APIs if the code includes theauthentic digital signature.
 5. The method of claim 1, wherein theauthentic digital signature corresponds to a plurality of APIs.
 6. Themethod of claim 1, wherein the code includes a plurality of digitalsignatures; and wherein the plurality of digital signatures includesdigital signatures corresponding to different APIs.
 7. The method ofclaim 1, wherein the code includes a plurality of digital signatures;and wherein the plurality of digital signatures includes digitalsignatures associated with different types of devices.
 8. The method ofclaim 6, wherein each of the plurality of digital signatures wasgenerated by a respective corresponding code signing authority.
 9. Themethod of claim 8, wherein each of the plurality of digital signatureswas generated by its corresponding code signing authority by applying arespective private key associated with the code signing authority to ahash of the code.
 10. The method of claim 1, wherein determining whetherthe code includes the authentic digital signature comprises: generatinga hash of the code to obtain a generated hash; applying a public key toa digital signature included in the code to obtain a recovered hash,wherein the public key corresponds to a private key used to generate thedigital signature; and comparing the generated hash with the recoveredhash.
 11. The method of claim 1, wherein determining whether the codeincludes the authentic digital signature comprises: determining whetherthe code includes an authentic global signature.
 12. The method of claim1, wherein the code comprises any of the following: a softwareapplication, an update to a software application, a command, a commandargument, or a library.
 13. The method of claim 1, further comprising:displaying a message if the code attempts to access the one or morespecific APIs.
 14. The method of claim 1, further comprising: receivinga user command granting or denying the code access to the one or morespecific APIs.
 15. The method of claim 1, wherein the one or morespecific APIs are associated with one or more libraries, the one or morelibraries including a public signature key used to determine whether thecode includes the authentic digital signature, the method furthercomprising: receiving, at a computing device, a code signing requestfrom a requestor in order to gain access to the one or more specificAPIs; and providing a digital signature to the requestor.
 16. Acomputing device comprising: one or more hardware processors enabled todetermine whether code is signed with an authentic digital signatureindicating authorization for the code to access one or more specificAPIs of the computing device, wherein the authentic digital signature isgenerated by a code signing authority that issues authentic digitalsignatures external to the computing device; and the one or morehardware processors being further enabled to control access by the codeto the one or more specific APIs depending on whether the code includesthe authentic digital signature.
 17. The computing device of claim 16,the one or more hardware processors being further enabled to purge thecode from the computing device if the code does not include theauthentic digital signature.
 18. The computing device of claim 16, theone or more hardware processors being further enabled to deny the codeaccess to the one or more specific APIs if the code does not include theauthentic digital signature.
 19. The computing device of claim 16, theone or more hardware processors being further enabled to grant the codeaccess to the one or more specific APIs if the code includes theauthentic digital signature.
 20. The computing device of claim 16,wherein the authentic digital signature corresponds to a plurality ofAPIs.
 21. The computing device of claim 16, wherein the code includes aplurality of digital signatures; and wherein the plurality of digitalsignatures includes digital signatures corresponding to different APIs.22. The computing device of claim 16, wherein the code includes aplurality of digital signatures; and wherein the plurality of digitalsignatures includes digital signatures associated with different typesof computing devices.
 23. The computing device of claim 16, wherein thecode includes a plurality of digital signatures was generated by arespective corresponding code signing authority.
 24. The computingdevice of claim 23, wherein each of the plurality of digital signatureswas generated by its corresponding code signing authority by applying arespective private key associated with the code signing authority to ahash of the code.
 25. The computing device of claim 16, whereindetermining whether the code includes the authentic digital signaturecomprises: generating a hash of the code to obtain a generated hash;applying a public key to a digital signature included in the code toobtain a recovered hash, wherein the public key corresponds to a privatekey used to generate the digital signature; and comparing the generatedhash with the recovered hash.
 26. The computing device of claim 16,wherein determining whether the code includes the authentic digitalsignature comprises: determining whether the code includes an authenticglobal signature.
 27. The computing device of claim 16, wherein the codecomprises any of the following: a software application, an update to asoftware application, a command, a command argument, or a library. 28.The computing device of claim 16, the one or more hardware processorsbeing further enabled to display a message if the code attempts toaccess the one or more specific APIs.
 29. The computing device of claim16, the one or more hardware processors being further enabled to receivea user command granting or denying the code access to the one or morespecific APIs.
 30. The computing device of claim 16, wherein the one ormore specific APIs are associated with one or more libraries, the one ormore libraries including a public signature key used to determinewhether the code includes the authentic digital signature, wherein theone or more hardware processors being further enabled to receive, at acomputing device, a code signing request from a requestor in order togain access to the one or more specific APIs, and provide a digitalsignature to the requestor.
 31. One or more non-transitory computerreadable memories comprising instructions that when executed by one ormore processors of a computing device cause the one or more processorsto perform instructions comprising: determining whether code is signedwith an authentic digital signature indicating authorization for thecode to access one or more specific APIs of the computing device,wherein the authentic digital signature is generated by a code signingauthority that issues authentic digital signatures external to thecomputing device; and, controlling access by the code to the one or morespecific APIs depending on whether the code includes the authenticdigital signature.
 32. The one or more non-transitory computer readablememories of claim 31, the instructions further comprising: purging thecode from the device if the code does not include the authentic digitalsignature.
 33. The one or more non-transitory computer readable memoriesof claim 31, the instructions further comprising: denying the codeaccess to the one or more specific APIs if the code does not include theauthentic digital signature.
 34. The one or more non-transitory computerreadable memories of claim 31, the instructions further comprising:granting the code access to the one or more specific APIs if the codeincludes the authentic digital signature.
 35. The one or morenon-transitory computer readable memories of claim 31, wherein theauthentic digital signature corresponds to a plurality of APIs.
 36. Theone or more non-transitory computer readable memories of claim 31,wherein the code includes a plurality of digital signatures; and whereinthe plurality of digital signatures includes digital signaturescorresponding to different APIs.
 37. The one or more non-transitorycomputer readable memories of claim 31, wherein the code includes aplurality of digital signatures; and wherein the plurality of digitalsignatures includes digital signatures associated with different typesof devices.
 38. The one or more non-transitory computer readablememories of claim 36, wherein each of the plurality of digitalsignatures was generated by a respective corresponding code signingauthority.
 39. The one or more non-transitory computer readable memoriesof claim 38, wherein each of the plurality of digital signatures wasgenerated by its corresponding code signing authority by applying arespective private key associated with the code signing authority to ahash of the code.
 40. The one or more non-transitory computer readablememories of claim 31, wherein determining whether the code includes theauthentic digital signature comprises: generating a hash of the code toobtain a generated hash; applying a public key to a digital signatureincluded in the code to obtain a recovered hash, wherein the public keycorresponds to a private key used to generate the digital signature; andcomparing the generated hash with the recovered hash.
 41. The one ormore non-transitory computer readable memories of claim 31, whereindetermining whether the code includes the authentic digital signaturecomprises: determining whether the code includes an authentic globalsignature.
 42. The one or more non-transitory computer readable memoriesof claim 31, wherein the code comprises any of the following: a softwareapplication, an update to a software application, a command, a commandargument, or a library.
 43. The one or more non-transitory computerreadable memories of claim 31, the instructions further comprising:displaying a message if the code attempts to access the one or morespecific APIs.
 44. The one or more non-transitory computer readablememories of claim 31, the instructions further comprising: receiving auser command granting or denying the code access to the one or morespecific APIs.
 45. The one or more non-transitory computer readablememories of claim 31, wherein the one or more specific APIs areassociated with one or more libraries, the one or more librariesincluding a public signature key used to determine whether the codeincludes the authentic digital signature, the method further comprising:receiving, at a computing device, a code signing request from arequestor in order to gain access to the one or more specific APIs; andproviding a digital signature to the requestor.
 46. A method ofcontrolling access by code to one or more application programminginterfaces (APIs) of a device, the method comprising: determiningwhether the code is signed with an authentic digital signatureindicating authorization for the code to access one or more specificAPIs of the device, wherein the authentic digital signature is generatedby a code signing authority that issues authentic digital signaturesexternal to the device, wherein the code signing authority includes anyone or more of a manufacturer of the computing device, an author of theone or more specific APIs, a representative of the manufacturer of thecomputing device, or a representative of the author of the one or morespecific APIs; and controlling access by the code to the one or morespecific APIs depending on whether the code is signed with the authenticdigital signature.
 47. A computing device comprising: one or morehardware processors enabled to determine whether code is signed with anauthentic digital signature indicating authorization for the code toaccess one or more specific APIs of the computing device, wherein theauthentic digital signature is generated by a code signing authoritythat issues authentic digital signatures external to the computingdevice, wherein the code signing authority includes any one or more of amanufacturer of the computing device, an author of the one or morespecific APIs, a representative of the manufacturer of the computingdevice, or a representative of the author of the one or more specificAPIs; and the one or more hardware processors being further enabled tocontrol access by the code to the one or more specific APIs depending onwhether the code includes the authentic digital signature.
 48. One ormore non-transitory computer readable memories comprising instructionsthat when executed by one or more processors of a computing device causethe one or more processors to perform instructions comprising:determining whether code is signed with an authentic digital signatureindicating authorization for the code to access one or more specificAPIs of the computing device, wherein the authentic digital signature isgenerated by a code signing authority that issues authentic digitalsignatures external to the computing device, wherein the code signingauthority includes any one or more of a manufacturer of the computingdevice, an author of the one or more specific APIs, a representative ofthe manufacturer of the computing device, or a representative of theauthor of the one or more specific APIs; and controlling access by thecode to the one or more specific APIs depending on whether the codeincludes the authentic digital signature.